WebSphere Java Security Issue :

0
votes

5I haven't worked on Websphere earlier and now stuck with the Security Issue.

  • I have deployed a War file in WebSphere. Path : C:\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\ip-0AC30DDBNode01Cell\DMS_war.ear
  • From UI, when we click on specific button it loads a JSP file, which in turn tries to read an xml file ( stored in WEB-INF/classes/mcc.xml).
  • The jsp file is not able to READ the xml file.

Please help in how to add the security/permission WebSphere. Also I'm not sure in which file we have to do this.( app.policy,java.policy,was.policy)

Log

com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0068E: Uncaught exception created in one of the service methods of the servlet /awc/pcmgr/pcmgr.jsp in application DMS_war. Exception created : java.security.AccessControlException: Access denied (java.io.FilePermission C:\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\ip-0AC30DDBNode01Cell\DMS_war.ear\DMS.war\WEB-INF\classes\mcc.xml read) at java.security.AccessController.checkPermission(AccessController.java:108) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkRead(SecurityManager.java:871)

So far I tried everything , heres the latest was.policy file. (location : META-INF/)

//
// Template policy file for enterprise application.
// Extra permissions can be added if required by the enterprise application.
//
// NOTE: Syntax errors in the policy files will cause the enterprise application FAIL to start.
//       Extreme care should be taken when editing these policy files. It is advised to use
//       the policytool provided by the JDK for editing the policy files
//       (WAS_HOME/java/jre/bin/policytool). 
//

grant codeBase "file:${application}" {
permission java.security.AllPermission;
};

grant codeBase "file:${jars}" {
};

grant codeBase "file:${connectorComponent}" {
};

grant codeBase "file:${webComponent}" {
};

grant codeBase "file:${ejbComponent}" {
};

UPDATE : This is how existing code reads XML file

SAXBuilder builder  = new SAXBuilder();
Document   doc      = builder.build(getServletContext().getRealPath("/WEB-INF/classes/mcc.xml")); 
// Use doc to get properties defined in file

Thanks

1
webspherewarjava-security
Did you try to disable Java 2 Security via admin console?Gas
Yes, I tried that also. But same result. Isn't there some way to add permission for the asked resource(xml file in my case) in policy file ?maddy man
If you disabled Java 2 Security that exception should no longer appear. In general, your was.policy file, with just first entry should be ok. You can set com.ibm.websphere.java2secman.norethrow property to just log the missing permission. See Java 2 security for more details.Gas
Actually what I really want is that jsp page should be able to READ the xml file. Does by setting this property will that be achievable ?maddy man
Yes, but then you in a sense disable whole Java 2 Security. So if it is not needed, just disable Java 2 security and restart the server, not create that property. If Java 2 Security is required, you can use that property to find out missing permission, but you shouldn't leave it on.Gas

1 Answers

1
votes

It would be easier to judge it you post piece of your source code where you read the file. But if I were you I would try reading that file as a resource steam.

Something like this:

InputStream is = this.getClass().getClassLoader().getResourceAsStream("mcc.xml");
if (is == null) {
    // file not found or something went wrong
}

// read the stream